Introduction
The AAF supports OpenID Connect (OIDC) connectivity and operates an OpenID Provider (OP) which authenticates users who have an account at any AAF subscriber Identity Provider (IdP). This service is a production choice available to AAF subscribers to connect their OIDC services to the Federation. This is an maturing service and at this stage only supports a subset of attributes/claims (for attribute requirements outside this range, please contact us to discuss).
There are no service management interfaces or self-service options for registering or managing a connector. The AAF Support is the key contact for all service requests and changes to connectors. A registration and management interface is currently under development a should be available in early 2023.
Attributes / Claims
Supported Scopes | Claims |
---|---|
openid | Returns the sub claim, which uniquely identifies the user. In an ID Token, iss , aud , exp , iat , and at_hash claims will also be present. |
profile | Returns claims that represent basic profile information, including name , family_name , given_name and preferred_username, |
Returns the email claim, which contains the user's email address. | |
phone | Returns the phone_number of the user. Not many AAF IdPs will return this value |
aueduperson | Returns the users au_edu_person_shared_token value |
eduperson_affiliation | Returns the users eduperson_affiliation value |
eduperson_assurance | Returns the users eduperson_assurance value |
eduperson_orcid | Returns the users eduperson_orcid value |
eduperson_principal_name | Returns the users eduperson_principal_name value |
eduperson_scoped_affiliation | Returns the users eduperson_scoped_affiliation value |
schac_home_organization | Returns the users schac_home_organization value |
Note: a claim for a user will only be provided if their home organisation provides the specific attribute. For example most universities will NOT provide phone numbers for their users.
Details
Before registering an OIDC service, deployers must have sufficient experience in undertaking OIDC integration work to create their own Relying Party (RP) components with minimal help from the AAF technical team. There are several open-source libraries which implement most of the RP requirements in several languages, GitHub is an excellent resource, as is the OpenID Foundation. https://openid.net/developers/libraries/. The AAF does not offer support or advice in this area, and the choice depends on the subscriber’s strengths and existing knowledge of OIDC integration.
The AAF OP satisfies the OIDC conformance testing framework and passes the Authorization Code and Implicit flows. The AAF monitors the OP during business hours and responds to service interruption issues promptly.
To register a new OIDC RP please visit:
AAF Production environment | Please e-mail support@aaf.edu.au with the details below. (A new UI currently under development) |
AAF Test environment | Please e-mail support@aaf.edu.au with the details below. (A new UI currently under development) |
- The service’s redirect URL - a redirect URL based on an actual URL rather than IP address and must use HTTPS.
- A descriptive name for the service.
- The organisation name, which must be an AAF subscriber, of the service.
- Indicate the service’s purpose - development/testing/production-ready.
- Your Keybase account id to share the credentials securely
- The environment you want to deploy to (Test or Production)
Once the technical team receives a registration, they will reach out and establish a secure messaging channel via https://keybase.io. New accounts on Keybase are currently free of charge. Over the secure communication channel, the technical team will supply values for the RP service generated during the registration process, including Client ID and secrets.
The AAF OIDC service supports querying the OP Configuration Information endpoint to retrieve the features and capabilities of the OIDC service. The AAF OP provides two endpoints, one for Production Federation and one for Test Federation, respectively:
https://central.aaf.edu.au/.well-known/openid-configuration
https://central.test.aaf.edu.au/.well-known/openid-configuration.
Details for the Production Federation are here:
$ curl https://central.aaf.edu.au/.well-known/openid-configuration | jq { "issuer": "https://central.aaf.edu.au", "authorization_endpoint": "https://central.aaf.edu.au/providers/op/authorize", "token_endpoint": "https://central.aaf.edu.au/providers/op/token", "jwks_uri": "https://central.aaf.edu.au/providers/op/jwks", "id_token_signing_alg_values_supported": [ "RS256", "ES384" ], "subject_types_supported": [ "public", "pairwise" ], "response_types_supported": [ "code", "id_token", "id_token token", "code id_token", "code token", "code id_token token" ], "scopes_supported": [ "openid", "profile", "email", "phone", "aueduperson", "eduperson_affiliation", "eduperson_assurance", "eduperson_entitlement", "eduperson_orcid", "eduperson_principal_name", "eduperson_scoped_affiliation", "schac_home_organization" ], "userinfo_endpoint": "https://central.aaf.edu.au/providers/op/userinfo", "claim_types_supported": [ "normal" ], "claims_locales_supported": [ "en" ], "claims_parameter_supported": false, "display_values_supported": [ "page" ], "grant_types_supported": [ "authorization_code", "implicit" ], "op_policy_uri": "https://central.aaf.edu.au/documentation/policy", "op_tos_uri": "https://central.aaf.edu.au/documentation/tos", "request_parameter_supported": false, "request_uri_parameter_supported": false, "require_request_uri_registration": true, "response_modes_supported": [ "query", "fragment" ], "service_documentation": "https://central.aaf.edu.au/documentation/developers", "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ], "ui_locales_supported": [ "en" ], "userinfo_signing_alg_values_supported": [ "RS256", "ES384" ] }
Links
AAF Production OIDC Provider https://central.aaf.edu.au/.well-known/openid-configuration
AAF Test OIDC Provider https://central.test.aaf.edu.au/.well-known/openid-configuration
OpenID OIDC Developer Libraries https://openid.net/developers/libraries/
OpenID OIDC Overview https://openid.net/specs/openid-connect-core-1_0.html#Overview
OpenID OIDC Terminology https://openid.net/specs/openid-connect-core-1_0.html#Terminology